Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)
232 Encryption Administrator’s Guide
53-1001341-02
Thales Encryption Manager for Storage
D
Thales Encryption Manager for Storage
Communication with the Thales Encryption Manager for Storage (TEMS) is referred to as NCKA in
operational descriptions in this appendix. NCKA is secured by wrapping DEKs in a master key. The
encryption engine must generate its own master key, send DEKs to NCKA encrypted in the master
key, and decrypt DEKs received from NCKA using the same master key. The master key may
optionally be stored as a key record in the NCKA key vault as a backup, but NCKA does not assume
responsibility for the master key. The master key must be backed up and stored, and policies and
procedures for responding to theft or loss must be in place.
The Thales key vault provides a web user interface for management of clients, keys, admins, and
configuration parameters. The process for setting up a Brocade encryption switch or blade client
consists of the following:
• Creating domains, groups, and clients
• Creating certificates for SSL communication between keyvault and client.
A Thales officer creates domains, groups, and managers (a type of administrator), assigns groups
to domains and assigns managers to manage groups. Managers are responsible for creating
clients and passwords for the groups they manage.
Generating the Brocade user name and password
The Thales key vaults require that user names and passwords must be configured on every
member of an encryption group, using the following command.
cryptocfg --reg -KAClogin <primary|secondary>
For each node in the encryption group, a different username is generated based on the switch
WWN. A password must be configured for this user for the primary and, if configured, the
secondary key vault. This user must exist on each configured key vault, and the password for that
user must match the password created.
The username and password configuration on the encryption switch or blade should be done
before configuring the username and password on the key vault itself. The password on the
encryption switch or blade can be changed at any time, as long as the corresponding password is
changed on the key vault as well.
Adding a client
Communication must be over an SSL connection. This requires creation of a client certificate
signed by a Certificate Authority (CA) on the key vault. It is assumed that a CA has been created by
an officer at the keyvault, and a CA certificate has been generated. Also, a group must be created
for Brocade by an administrator. This group must exist and is the only supported group for the
Brocade encryption switch and blade. Details about how to set up a CA and a group can be found in
Thales documentation.
NOTE
Each Thales key vault has both a management IP address and a data IP address. Clients must
communicate with the key vaults using the data IP address.